內容簡介
總結:這個外掛為WordPress增加了稽核功能,通過添加額外的REST API端點實現。可以查看核心版本、核心是否有可用更新、安裝的插件、插件是否已啟用、插件是否啟用自動更新、插件是否有更新、插件的漏洞列表和安裝的主題等資訊。
1. 這個外掛主要功能是什麼?
- 提供WordPress稽核功能
- 透過添加額外的REST API端點來實現
2. 可以透過這個外掛查看哪些資訊?
- 核心版本
- 核心是否有可用更新
- 已安裝的插件
- 插件是否已啟用
- 插件是否啟用自動更新
- 插件是否有更新
- 插件的漏洞列表
- 安裝的主題
3. 若使用者的RESTAPI被停用,該如何處理?
- 外掛可以將信息推送到另一端點
4. 使用這個外掛是否需要其他相依性?
- 可以使用WPVulnerability外掛來獲取WordPress組件的漏洞,但不是必需的
5. 如何進行身分驗證?
- 外掛會添加一個新使用者cloudaware和隨機密碼,並在WordPress安裝中新增一個角色
6. 使用外部服務時的注意事項?
- 使用GitHub和Slider Revolution提供的服務來確定安裝軟體組件的最新版本
- 除了GET請求中通常的標頭(IP地址,UserAgent)外,不會向這些服務發送其他資訊,特別是不會將版本信息傳送給外部服務。
外掛標籤
開發者團隊
原文外掛簡介
This plugin adds auditing functionality to WordPress. It does this by adding extra
REST API endpoints. Using these endpoints it is possible to:
– see the version of core
– see whether there is an update available for core
– see what plugins are installed
– see whether these plugins have been actived
– see whether these plugins have autoupdate enabled
– see whether these plugins have updates
– see a list of vulnerabilities for these plugins
– see what themes are installed
– check if 2FA is enabled
– see MD5 hashes of all theme and plugin folders
For installations where the RESTAPI is disabled, the plugin can also push this information to an endpoint.
This will work for installations that are behind a geoblock or have no RESTAPI. To disable this, remove the
cronjob.
Dependancies
For getting vulnerabilities of WordPress components this plugin can use the WPVulnerability plugin
(https://wordpress.org/plugins/wpvulnerability/). If this plugin is installed, it will be used, otherwise this plugin
will work without the information from WPVulnerabilty plugin.
Without installing this dependancy no data is transferred to WPVulnerability. Please see https://www.wpvulnerability.com/privacy/
for more information.
External services
In order to determine the latest version of installed software components this plugin uses the following
external services:
GitHub
Terms of Service: https://docs.github.com/en/site-policy/github-terms/github-terms-of-service
Privacy Statement: https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement
– Releases list from ImageMagick github repository (https://api.github.com/repos/ImageMagick/ImageMagick/releases)
– Releases list from curl github repository (https://api.github.com/repos/curl/curl/releases)
Slider Revolution
Terms of Service: https://www.sliderrevolution.com/terms/
Privacy Statement: https://www.sliderrevolution.com/terms/privacy/
– Changelog documentation from Slider Revolution website (https://www.sliderrevolution.com/documentation/changelog/)
Apart from the usual headers (ip-address, UserAgent) used in a GET request no other information is send to these services.
Specifically no version information is transmitted to external services.
If you fill out an external url in the callback URL field in the settings, a WordPress cronjob will send a POST request
with the audit data to this URL daily.
